Closed paul-uz closed 3 months ago
It's hard to stop the errorredirect, as it seems to be working as intented. Please let us know why exactly we'd need to block, and we'll look into it. Normally our service would prevent your servers from getting too many requests.
We want to try and block initial attempts at hotlinking images as they are the IP of our clients. Various Chinese sites are using your service to hotlink the images. By blocking your service initially, a cached copy of the image can never be created.
Hotlink protection (based on the HTTP referer header) can be easily bypassed these days with a referrerpolicy
of no-referrer
, which can be set on the HTML document with:
<meta name="referrer" content="no-referrer" />
Or on specific images with:
<img src="https://example.com/images/myimage.jpg" referrerpolicy="no-referrer">
Therefore, there are no plans to make the &default=
/ &errorredirect=
query strings opt-out for some URLs.
Note that nowadays you could set the Cross-Origin-Resource-Policy: same-origin
(CORP) header on the images you serve for enhanced hotlink protection, which is also effective even when referrerpolicy
is used, see:
https://exact.realty/blog/posts/2022/10/09/hotlink-protection-in-2022/
I assumed that using the &default=
/ &errorredirect=
query strings implies referrerpolicy="no-referrer"
, but this isn't the case. It looks like the original referrer is still retained.
We have implemented an IP block already, but some images have already been cached; how can we get the cached images removed?
If you want, you can send us an email with the images that are affected and need to be purged from cache.
I hope this information helped. Please feel free to re-open if questions remain.
how can we get the cached images removed?
Let's track this at #14.
We would like to entirely block the usage of https://wsrv.nl/ linking our images on other sites.
We have implemented an IP block already, but some images have already been cached; how can we get the cached images removed?
Also, I noticed the query param
errorredirect
- how can we effectively stop that from being useful? We've blocked wsrv.nl, and would want to stop the redirect happening as well.